Few-Shot Network Intrusion Detection Using Online Triplet Mining

TL;DR

This paper introduces a few-shot network intrusion detection method using online triplet mining and a KNN classifier, effective with minimal malicious training data, suitable for emerging or evolving threats.

Contribution

It proposes a novel triplet network approach with online triplet mining for few-shot intrusion detection, outperforming existing methods with limited malicious samples.

Findings

Effective with as few as 10 malicious samples per class

Competitive performance against state-of-the-art few-shot methods

Explored various online triplet mining algorithms and model configurations

Abstract

Network intrusion detection systems play a vital role in protecting networks by detecting malicious network traffic which can then be investigated by a cybersecurity operations centre. State-of-the-art approaches utilise supervised machine learning methods to train a classification model to recognise known cyberattacks; however, these models require a large labelled dataset to train and show poor performance when trained on smaller datasets. In an attempt to address this shortcoming, anomaly detection models learn the distribution of benign traffic and flag non-conforming traffic as malicious. While these methods do not require malicious examples to train, they suffer from high false-positive rates rendering them impractical. As a result, networks may be particularly vulnerable when there are insufficient labelled instances of a specific attack class to train an effective classifier. This often occurs in newly established networks or when previously unseen types of attacks emerge. To address this challenge, this work proposes the use of a triplet network, utilising online triplet mining and a KNN classifier, which is able to perform few-shot classification, enabling effective intrusion detection after being trained on a limited number of malicious examples. Various online triplet mining algorithms were explored and model design choices, such as the inference algorithm and optimised distance metrics, were compared and evaluated through a series of ablation studies. The final model was compared against other state-of-the-art approaches in few-shot binary and multiclass classification, where the proposed approach was found to be competitive with existing methods when trained on as little as 10 malicious samples of each class.